Will the Software Defined Perimeter Debunk the Cyber Kill Chain?

This is the first in a series of blogs that examine how Software Defined Perimeters (SDPs) can significantly improve security and reduce risk associated with the Cyber Kill Chain (or seven phases of attack). This week we will look at the impact of an SDP on “Reconnaissance.”

The “cyber kill chain” is term describing a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Enterprises and organizations are advised to use the kill chain as a guide for improving security infrastructure and minimizing risk. It is widely recognized in government circles and has spawned the “threat intelligence” industry fueled by the DoD and Intel communities. The seven stages are defined as:

Step 1: Reconnaissance. The attacker gathers information on the target before the actual attack starts. He can do it by looking for publicly available information on the Internet.

Step 2: Weaponization. The attacker uses an exploit and creates a malicious payload to send to the victim. This step happens at the attacker side, without contact with the victim.

Step 3: Delivery. The attacker sends the malicious payload to the victim by email or other means, which represents one of many intrusion methods the attacker can use.

Step 4: Exploitation. The actual execution of the exploit, which is, again, relevant only when the attacker uses an exploit.

Step 5: Installation. Installing malware on the infected computer is relevant only if the attacker used malware as part of the attack, and even when there is malware involved, the installation is a point in time within a much more elaborate attack process that takes months to operate.

Step 6: Command and control. The attacker creates a command and control channel in order to continue to operate his internal assets remotely. This step is relatively generic and relevant throughout the attack, not only when malware is installed.

Step 7: Action on objectives. The attacker performs the steps to achieve his actual goals inside the victim’s network. This is the elaborate active attack process that takes months, and thousands of small steps, in order to achieve.

Any discussion of the Kill Chain starts with discussion of the need for a network that is 100 percent compliant with its mandatory IT controls that can that be used to build threat intelligence frameworks. Since its introduction by Lockheed Martin in 2011, the concept of the kill chain has become increasingly limited in that it 1) is very “intrusion-centric” (intrusion prevention solutions cannot provide 100% protection), and 2) is very perimeter-focused, primarily on malware, (one of many threat vectors facing today’s networks).

And while admirable in its intent, it is clear that the seven stages are philosophically rooted in simple discovery of ‘who’ is on the network, ‘what’ they are doing on the network, and ‘when’ did they get there? On top of this, each stage of the Kill Chain represents a possible entry point for bad actors and each stage must be secured in order to effectively prevent attacks.

What remains is the bigger question of HOW are you going to gain control of risks from the cyber threat and continue to do business?

The answer lies in the Software-Defined Perimeter (SDP). SDPs employ a zero visibility — authenticate-first approach by securing every connection to a service, application or critical infrastructure. It dynamically creates one-to-one connections between every authorized device, user and the data they access. It addresses the perimeter-less enterprise and is built on three core principles and should leveraged at every phase of the Kill Chain to maximize protection.

Zero Trust approach — SDPs Zero-Trust approach means that anyone attempting to access a resource must “authenticate first.” This applies the principle of least privilege to the network and completely reduces the attack surface. By default, users are not allowed to connect to anything – the opposite of traditional corporate networks, where once a user is given an IP address, they typically have access to everything on the network. Instead, SDPs ensure that once proper access criteria are met, a dynamic one-to-one connection is generated from the user’s machine to the specific resource needed. Everything else is completely invisible.

IP Agnostic Infrastructure – SDPs are architected for hybrid environments and are cloud-like. There is no centralized network chokepoint. It’s completely distributed and as scalable as the internet itself. An SDP is engineered to operate natively in cloud networks and are compatible with existing corporate networks, integrating and augmenting security tools and network devices, modernizing your existing investments.

Step 1 – Reconnaissance attacks

A reconnaissance attack, as the name implies, is the efforts of a threat actors to gain as much information about the network as possible before launching other more serious types of attacks. Quite often, the reconnaissance attack is implemented by using readily available information. A recent high profile example is the attack on Marriott hotels that involved years of reconnaissance.

What is the objective?

Reconnaissance Attacker will focus on “who”, or the “network”: “Who” will likely focus on privileged individuals (either for system access, or access to confidential data), “Network” will focus on architecture and layout; tools, devices and protocols; and critical infrastructure. It is like a robber understanding the behavior of the victim and then breaking into the victim’s house.

Types of reconnaissance attack:

Passive reconnaissance Definition: A hacker looks for information not related to victim domain. He just knows the registered domain to the target system so he can use commands (eg. Telephone directory) to fish information about the target

Active reconnaissance Definition: A hacker uses system information to gain unauthorized access to protected digital or electronic materials, and may go around routers or even firewalls to get it.

Enter Software Defined Perimeter

So when you consider Cyber Kill Chain “Reconnaissance,” SDP provides countermeasures by delivering proactive protection using the SPA packet and a “deny all” gateway. Even future reconnaissance mechanisms will be stopped with this approach. In a nutshell, because the infrastructure and applications within an SDP are essentially invisible to hackers, they cannot reconnaissance what they cannot see.

The Takeaway

Over-focus on the Cyber Kill Chain can actually be detrimental to network security. The Cyber Kill Chain, as cool as it sounds, reinforces old-school, perimeter-focused, malware-prevention thinking. And the fact is that intrusion prevention solutions cannot provide 100% protection. A persistent, highly determined, and highly skilled attacker will always find a way in. And once the attacker is past your perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, sandboxes, and antivirus can’t help. Once they’ve bypassed these solutions, attackers are free to operate in your network unobstructed. With SDP, they cannot see, and therefore cannot know where to go, no matter how determined they might be.

Check back next week when we examine the relationship between step 2 of the Cyber Kill Chain – Weaponization, and the Software Defined Perimeter.